cloud-audit 2.2.0__tar.gz → 2.2.1__tar.gz

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/CHANGELOG.md

@@ -7,6 +7,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.2.1] - 2026-05-12
+
+### Changed
+
+- **TF-001 (SES phishing setup)** - severity escalation logic rewritten.
+  HIGH now requires BOTH out-of-sandbox AND a burst of >=2 recent
+  identity verifications in the same account scan. The previous
+  "email identity without matching domain" escalation has been removed:
+  it modeled the wrong attacker behaviour. Wiz's September 2025 research
+  documented attackers *"adding multiple domains as verified identities
+  using the CreateEmailIdentity API"* in quick succession - a burst
+  pattern, not a single typosquat email. The new logic matches what
+  the source incident actually documented.
+
+- **TF-004 (leaked-creds scanner UA)** - removed `cloudgrappler` and
+  `detention-dodger` from the user-agent signature list. Both are
+  Permiso DEFENSIVE tools - their UA appearing in CloudTrail means a
+  defender is running them against the account, not that the account
+  is under attack. The detector now only matches OFFENSIVE scanner
+  signatures (`trufflehog`, `gitleaks`, `noseyparker`, `secretscanner`).
+  Module docstring updated with an explicit detection caveat: scanners
+  using stock AWS SDK / boto3 / aws-cli default user-agents look
+  identical to legitimate traffic and will not trigger this pattern.
+
+- **TF-004 references** - replaced a fabricated TruffleHog blog URL in
+  the references list with the verified BleepingComputer / Kaspersky
+  May 2026 SES abuse coverage and the official TruffleHog GitHub repo.
+
+### Tests
+
+- 742 -> 747 (+5 net). New regression tests:
+  - `test_email_no_matching_domain_does_not_escalate` (TF-001) proves
+    the removed typosquat heuristic does not return.
+  - `test_burst_out_of_sandbox_escalates_to_high` and
+    `test_burst_in_sandbox_stays_medium` cover the new escalation rule.
+  - `test_burst_only_counts_recent_identities` verifies the burst
+    counter respects the 14-day window.
+  - `test_cloudgrappler_ua_not_flagged` and
+    `test_detention_dodger_ua_not_flagged` (TF-004) prove defensive
+    tools are now excluded.
+
 ## [2.2.0] - 2026-05-12
 
 ### Added

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 2.2.0
+Version: 2.2.1
 Summary: Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation.
 Project-URL: Homepage, https://haitmg.pl/cloud-audit/
 Project-URL: Documentation, https://haitmg.pl/cloud-audit/

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cloud-audit"
-version = "2.2.0"
+version = "2.2.1"
 description = "Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation."
 readme = "README.md"
 license = "MIT"

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/src/cloud_audit/providers/aws/threat_feed/ses_phishing.py

@@ -1,22 +1,28 @@
 """TF-001: SES phishing setup precursors.
 
-The SES abuse campaigns documented by Wiz (May 2025) and BleepingComputer
+The SES abuse campaigns documented by Wiz (September 2025) and BleepingComputer
 (May 2026) follow a consistent pattern: an attacker compromises AWS
-credentials, calls GetSendQuota to confirm out-of-sandbox status, verifies
-a fresh email or domain identity (often a typosquat of a trusted brand),
-and blasts phishing through SES so messages arrive with the trust signal
-of AWS-IP-sourced delivery.
+credentials, calls GetSendQuota to confirm out-of-sandbox status, then -
+per Wiz's direct quote - "adds multiple domains as verified identities
+using the CreateEmailIdentity API" so they can blast phishing through SES
+from common prefixes (admin@, billing@, sales@, noreply@) on those domains.
 
 We surface the precursor that is visible from the control plane: SES email
-identities verified RECENTLY in an account that has production sending
-enabled. We do not have visibility into whether the identity is benign
-(legitimate marketing setup) or malicious - we flag at MEDIUM and let the
-operator triage.
-
-Two stronger sub-signals raise severity to HIGH when present:
-- Identity is an email address that doesn't match a domain identity in the
-  same account (typosquats / one-off addresses are red flags)
-- Account has elevated send quota (production sending out of sandbox)
+or domain identities verified RECENTLY. We do not have visibility into
+whether the identity is benign (legitimate marketing setup) or malicious -
+we flag at MEDIUM and let the operator triage.
+
+Severity escalates to HIGH when BOTH of these are true:
+- The account has production sending enabled (out of SES sandbox), so
+  abuse would reach external recipients without the per-recipient
+  verify-first restriction.
+- The account has TWO OR MORE identities verified in the recent window
+  (the "burst" pattern Wiz documented - attackers add multiple domains
+  in quick succession, not one).
+
+Severity does NOT escalate on "email identity without matching domain"
+(an earlier draft of this detector used that signal - it was wrong;
+Wiz documented attackers verifying domains, not single-email typosquats).
 
 References:
     - https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign
@@ -51,20 +57,25 @@ _RECENT_DAYS = 14
 14 days catches campaign-style bursts without flagging legitimate identities
 that have been around for months."""
 
+_BURST_THRESHOLD = 2
+"""Number of recent verifications that triggers HIGH severity escalation.
+
+Wiz documented attackers "adding multiple domains as verified identities"
+in quick succession. Two or more recent verifications in the same account
+matches that burst signature."""
+
 
 def _build_finding(
     identity_name: str,
     identity_type: str,
     region: str,
-    created_at: datetime | None,
+    created_at: datetime,
     out_of_sandbox: bool,
-    is_email_no_matching_domain: bool,
+    recent_burst_count: int,
 ) -> Finding:
-    severity = Severity.HIGH if (out_of_sandbox and is_email_no_matching_domain) else PATTERN_SEVERITY
-    age_str = "unknown age"
-    if created_at:
-        age_days = (datetime.now(timezone.utc) - created_at).days
-        age_str = f"verified {age_days} days ago"
+    is_burst = recent_burst_count >= _BURST_THRESHOLD
+    severity = Severity.HIGH if (out_of_sandbox and is_burst) else PATTERN_SEVERITY
+    age_days = (datetime.now(timezone.utc) - created_at).days
 
     sandbox_note = (
         " The account has production sending enabled (out of SES sandbox), so messages "
@@ -73,11 +84,11 @@ def _build_finding(
         if out_of_sandbox
         else " The account is still in SES sandbox - external impact limited."
     )
-    typosquat_note = (
-        " The identity is an EMAIL address with no matching DOMAIN identity in the same "
-        "account - a common typosquat / one-off setup pattern in attacker-driven SES "
-        "abuse campaigns."
-        if is_email_no_matching_domain
+    burst_note = (
+        f" {recent_burst_count} identities have been verified in this account in the last "
+        f"{_RECENT_DAYS} days - a burst pattern matching Wiz's documented incident where "
+        "attackers added multiple domains as verified identities in quick succession."
+        if is_burst
         else ""
     )
     return Finding(
@@ -89,12 +100,12 @@ def _build_finding(
         resource_id=f"ses:{region}:{identity_name}",
         region=region,
         description=(
-            f"SES identity '{identity_name}' ({age_str}) is verified in {region}. The Wiz "
-            "May 2025 research and BleepingComputer May 2026 follow-up document a "
-            "consistent SES abuse pattern in stolen-credential incidents: attackers verify "
-            "a fresh identity to send phishing through SES so messages carry AWS IP "
-            f"reputation.{sandbox_note}{typosquat_note} Confirm the identity was created "
-            "by an authorized operator."
+            f"SES identity '{identity_name}' was verified {age_days} days ago in {region}. "
+            "The Wiz September 2025 research and BleepingComputer May 2026 follow-up "
+            "document a consistent SES abuse pattern in stolen-credential incidents: "
+            "attackers verify SES identities and blast phishing through SES so messages "
+            f"carry AWS IP reputation.{sandbox_note}{burst_note} Confirm the verification "
+            "was performed by an authorized operator."
         ),
         recommendation=(
             "(1) Confirm the verification was authorized by your team. (2) If unexpected, "
@@ -163,39 +174,39 @@ def _scan_region(provider: AWSProvider, region: str) -> tuple[int, list[Finding]
             return 0, []
         raise
 
-    # Build set of verified domains (for typosquat detection)
-    verified_domains = {i.get("IdentityName", "") for i in identities if i.get("IdentityType") == "DOMAIN"}
-
     cutoff = datetime.now(timezone.utc) - timedelta(days=_RECENT_DAYS)
 
+    # First pass: collect every recently-verified identity with its CreatedTimestamp.
+    # The burst count is the SAME for every finding emitted from a single account scan -
+    # it reflects the total recent activity in the SES inventory, which is the signature
+    # Wiz documented (attackers add multiple identities, not one). We must count first
+    # so that the count is correct on every emitted finding.
+    recent_entries: list[tuple[str, datetime]] = []
     for identity in identities:
         scanned += 1
         name = identity.get("IdentityName", "")
         if not name:
             continue
         if not identity.get("VerifiedForSendingStatus", False):
-            continue  # Pending/failed identities aren't usable for phishing
-
-        # Look up details for created timestamp
+            continue
         try:
             detail = ses.get_email_identity(EmailIdentity=name)
         except Exception:
             continue
         created_at = detail.get("CreatedTimestamp")
         if not isinstance(created_at, datetime):
-            # Some boto3 versions return raw datetime, others may return a string.
-            # If we can't parse, skip rather than over-flag.
             continue
         if created_at.tzinfo is None:
             created_at = created_at.replace(tzinfo=timezone.utc)
         if created_at < cutoff:
-            continue  # Not recent
+            continue
+        recent_entries.append((name, created_at))
 
-        is_email_no_match = False
-        if _is_email(name):
-            domain_part = name.rsplit("@", 1)[-1]
-            is_email_no_match = domain_part not in verified_domains
+    recent_burst_count = len(recent_entries)
+    if recent_burst_count == 0:
+        return scanned, []
 
+    for name, created_at in recent_entries:
         findings.append(
             _build_finding(
                 identity_name=name,
@@ -203,7 +214,7 @@ def _scan_region(provider: AWSProvider, region: str) -> tuple[int, list[Finding]
                 region=region,
                 created_at=created_at,
                 out_of_sandbox=out_of_sandbox,
-                is_email_no_matching_domain=is_email_no_match,
+                recent_burst_count=recent_burst_count,
             )
         )
 

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/src/cloud_audit/providers/aws/threat_feed/trufflehog_ua.py

@@ -1,4 +1,4 @@
-"""TF-004: TruffleHog (and similar leaked-creds-discovery tools) user-agent in CloudTrail.
+"""TF-004: leaked-creds-discovery scanner user-agent in CloudTrail.
 
 When credentials leak to public sources (GitHub commits, paste sites,
 shipping logs), automated discovery tools immediately scrape and validate
@@ -6,19 +6,32 @@ them. The most common validation is `aws sts get-caller-identity` because
 it requires zero permissions to call but tells the attacker who the
 credentials belong to.
 
-TruffleHog (the most common scanner) leaves a recognisable user-agent
-signature when it makes that call. Other scanners (gitleaks, CloudGrappler,
-DetentionDodger validators) have similar signatures.
+TruffleHog, gitleaks, NoseyParker and similar OFFENSIVE leaked-credentials
+scanners *can* leave a recognisable user-agent substring when their HTTP
+clients are invoked with a custom UA (e.g. TruffleHog's `--user-agent-suffix`
+flag). TF-004 catches those cases.
 
-Seeing such a UA in CloudTrail = your credentials were validated by an
-external automated scanner = treat as confirmed exposure even before any
-exploitation event lands. We surface CRITICAL because the next step in the
-attack chain is typically CreateFunction / RunInstances / VerifyEmailIdentity
-within minutes.
+DETECTION LIMITATION (be honest with yourself): when these scanners use the
+stock AWS SDK / boto3 / aws-cli default user-agent, their calls look
+identical to legitimate traffic and TF-004 will NOT flag them. Absence of a
+hit does not mean nothing scanned your keys; presence of a hit is a strong
+signal that something did. Pair this with TF-003 (quarantine policy) and
+behavioural CloudTrail monitoring (e.g. Prowler's
+`cloudtrail_threat_detection_enumeration`) for fuller coverage.
+
+We deliberately exclude DEFENSIVE tools like Permiso's CloudGrappler and
+DetentionDodger from the signature list - those running against your account
+are your own (or your auditor's) and should not generate findings.
+
+Seeing such a UA in CloudTrail = your credentials were likely validated by
+an external offensive scanner = treat as confirmed exposure. We surface
+CRITICAL because the next step in the attack chain is typically
+CreateFunction / RunInstances / VerifyEmailIdentity within minutes.
 
 References:
-    - https://trufflesecurity.com/blog/the-mechanics-of-trufflehog-validation
+    - https://www.bleepingcomputer.com/news/security/researchers-report-amazon-ses-abused-in-phishing-to-evade-detection/
     - https://permiso.io/blog/introducing-detention-dodger
+    - https://github.com/trufflesecurity/trufflehog
     - https://github.com/Cybr-Inc/fwdcloudsec-2025-summaries
 """
 
@@ -40,17 +53,19 @@ PATTERN_SEVERITY = Severity.CRITICAL
 DOC_URL = "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-record-contents.html"
 
 _REFERENCES = [
-    "https://trufflesecurity.com/blog/the-mechanics-of-trufflehog-validation",
+    "https://www.bleepingcomputer.com/news/security/researchers-report-amazon-ses-abused-in-phishing-to-evade-detection/",
     "https://permiso.io/blog/introducing-detention-dodger",
+    "https://github.com/trufflesecurity/trufflehog",
 ]
 
-# Substrings (case-insensitive) in CloudTrail userAgent that indicate a
-# known leaked-credentials discovery scanner. Easy to extend as new tools surface.
+# Substrings (case-insensitive) in CloudTrail userAgent that indicate an
+# OFFENSIVE leaked-credentials discovery scanner. DEFENSIVE tools
+# (CloudGrappler, DetentionDodger) are intentionally excluded - operators
+# running them against their own account are not the threat. Easy to extend
+# as new offensive tools surface; resist the urge to add defensive ones.
 _SCANNER_UA_SIGNATURES = (
     "trufflehog",
     "gitleaks",
-    "cloudgrappler",
-    "detention-dodger",
     "noseyparker",
     "secretscanner",
 )

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/tests/aws/threat_feed/test_ses_phishing.py

@@ -1,4 +1,12 @@
-"""Tests for TF-001: SES phishing setup precursor detector."""
+"""Tests for TF-001: SES phishing setup precursor detector.
+
+v2.2.1: severity escalation rewritten. HIGH now requires BOTH out-of-sandbox
+AND a burst of >=2 recent verifications in the same account scan (matches
+Wiz's documented "multiple domains" pattern). The earlier "email identity
+without matching domain" signal was removed - it pointed at the wrong
+attacker behaviour (Wiz documented attackers adding domains, not single
+typosquats).
+"""
 
 from __future__ import annotations
 
@@ -49,6 +57,8 @@ def _identity(name: str, identity_type: str = "EMAIL_ADDRESS", verified: bool =
 
 
 # -----------------------------------------------------------------------------
+# Detection tests
+# -----------------------------------------------------------------------------
 
 
 def test_no_identities_no_findings() -> None:
@@ -59,7 +69,7 @@ def test_no_identities_no_findings() -> None:
 
 
 def test_old_identity_not_flagged() -> None:
-    """Identity verified 60 days ago = not in attack-window, no flag."""
+    """Identity verified 60 days ago = outside the recent window, no flag."""
     name = "newsletter@company.example"
     ses = _ses_client(
         out_of_sandbox=True,
@@ -70,11 +80,11 @@ def test_old_identity_not_flagged() -> None:
     assert result.findings == []
 
 
-def test_recent_identity_in_sandbox_medium() -> None:
-    """Recent identity but account in sandbox = MEDIUM (limited blast radius)."""
-    name = "test@dev.example"
+def test_single_recent_identity_out_of_sandbox_medium() -> None:
+    """One recent identity, even with production sending, is MEDIUM - not a burst yet."""
+    name = "team@trusted.example"
     ses = _ses_client(
-        out_of_sandbox=False,
+        out_of_sandbox=True,
         identities=[_identity(name)],
         details={name: {"CreatedTimestamp": _now() - timedelta(days=2)}},
     )
@@ -84,45 +94,79 @@ def test_recent_identity_in_sandbox_medium() -> None:
     assert f.severity == Severity.MEDIUM
     assert f.category == Category.THREAT
     assert f.threat_pattern_id == ses_phishing.PATTERN_ID
-    assert "test@dev.example" in f.title
+
+
+def test_single_recent_identity_in_sandbox_medium() -> None:
+    """Single recent + sandbox = MEDIUM (limited blast radius)."""
+    name = "test@dev.example"
+    ses = _ses_client(
+        out_of_sandbox=False,
+        identities=[_identity(name)],
+        details={name: {"CreatedTimestamp": _now() - timedelta(days=2)}},
+    )
+    result = ses_phishing.detect(_provider(ses))
+    assert len(result.findings) == 1
+    f = result.findings[0]
+    assert f.severity == Severity.MEDIUM
     assert "sandbox" in f.description.lower()
 
 
-def test_recent_identity_out_of_sandbox_with_matching_domain_medium() -> None:
-    """Recent email identity + production sending + matching DOMAIN identity in account = MEDIUM."""
-    email = "alerts@trusted.example"
-    domain = "trusted.example"
+def test_burst_out_of_sandbox_escalates_to_high() -> None:
+    """TWO+ recent verifications + production sending = HIGH (Wiz burst pattern)."""
     ses = _ses_client(
         out_of_sandbox=True,
         identities=[
-            _identity(email, identity_type="EMAIL_ADDRESS"),
-            _identity(domain, identity_type="DOMAIN"),
+            _identity("domain1.example", identity_type="DOMAIN"),
+            _identity("domain2.example", identity_type="DOMAIN"),
         ],
         details={
-            email: {"CreatedTimestamp": _now() - timedelta(days=2)},
-            domain: {"CreatedTimestamp": _now() - timedelta(days=200)},  # old, won't be flagged
+            "domain1.example": {"CreatedTimestamp": _now() - timedelta(days=1)},
+            "domain2.example": {"CreatedTimestamp": _now() - timedelta(days=3)},
         },
     )
     result = ses_phishing.detect(_provider(ses))
-    # Only the recent email is flagged. Domain match -> MEDIUM (not HIGH).
-    flagged = [f for f in result.findings if f.severity != Severity.INFO]
-    assert len(flagged) == 1
-    assert flagged[0].severity == Severity.MEDIUM
+    assert len(result.findings) == 2
+    # BOTH findings escalate - the burst count is account-scoped, not per-finding
+    for f in result.findings:
+        assert f.severity == Severity.HIGH
+        assert "burst pattern" in f.description.lower()
+        assert "wiz" in f.description.lower()
 
 
-def test_recent_email_no_matching_domain_out_of_sandbox_high() -> None:
-    """Recent email + out-of-sandbox + NO matching domain = HIGH (typosquat pattern)."""
-    name = "support@typosquat.example"
+def test_burst_in_sandbox_stays_medium() -> None:
+    """Burst but account still in sandbox = MEDIUM (no external blast radius)."""
+    ses = _ses_client(
+        out_of_sandbox=False,
+        identities=[
+            _identity("d1.example", identity_type="DOMAIN"),
+            _identity("d2.example", identity_type="DOMAIN"),
+        ],
+        details={
+            "d1.example": {"CreatedTimestamp": _now() - timedelta(days=1)},
+            "d2.example": {"CreatedTimestamp": _now() - timedelta(days=2)},
+        },
+    )
+    result = ses_phishing.detect(_provider(ses))
+    assert len(result.findings) == 2
+    for f in result.findings:
+        assert f.severity == Severity.MEDIUM
+
+
+def test_email_no_matching_domain_does_not_escalate() -> None:
+    """v2.2.1 regression check: the removed 'typosquat' heuristic must not return.
+
+    Wiz documented attackers verifying DOMAINS in bursts, not single emails
+    without a matching domain. A single email identity, even out-of-sandbox,
+    must stay MEDIUM unless the burst threshold is met.
+    """
     ses = _ses_client(
         out_of_sandbox=True,
-        identities=[_identity(name)],
-        details={name: {"CreatedTimestamp": _now() - timedelta(days=1)}},
+        identities=[_identity("support@typosquat.example")],
+        details={"support@typosquat.example": {"CreatedTimestamp": _now() - timedelta(days=1)}},
     )
     result = ses_phishing.detect(_provider(ses))
     assert len(result.findings) == 1
-    f = result.findings[0]
-    assert f.severity == Severity.HIGH
-    assert "typosquat" in f.description.lower()
+    assert result.findings[0].severity == Severity.MEDIUM
 
 
 def test_pending_identity_not_flagged() -> None:
@@ -137,6 +181,30 @@ def test_pending_identity_not_flagged() -> None:
     assert result.findings == []
 
 
+def test_burst_only_counts_recent_identities() -> None:
+    """Old (>14d) identities do not contribute to the burst count.
+
+    Account has 1 recent identity and 1 old identity. Old one is filtered
+    out before the burst check, so burst_count = 1, severity stays MEDIUM
+    even out-of-sandbox.
+    """
+    ses = _ses_client(
+        out_of_sandbox=True,
+        identities=[
+            _identity("recent.example", identity_type="DOMAIN"),
+            _identity("old.example", identity_type="DOMAIN"),
+        ],
+        details={
+            "recent.example": {"CreatedTimestamp": _now() - timedelta(days=2)},
+            "old.example": {"CreatedTimestamp": _now() - timedelta(days=200)},
+        },
+    )
+    result = ses_phishing.detect(_provider(ses))
+    assert len(result.findings) == 1
+    assert "recent.example" in result.findings[0].resource_id
+    assert result.findings[0].severity == Severity.MEDIUM
+
+
 def test_remediation_includes_delete_and_audit() -> None:
     name = "phish-staging@bad.example"
     ses = _ses_client(
@@ -174,11 +242,7 @@ def test_pattern_metadata_exposed() -> None:
 
 
 def test_provider_client_failure_swallowed_per_region() -> None:
-    """sesv2 client init failure in a region is swallowed (region opt-in is the common cause).
-
-    This differs from patterns where AWS perms errors should surface - SES is region-scoped
-    and many regions don't have sesv2 at all. We trade error visibility for noise reduction.
-    """
+    """sesv2 client init failure in a region is swallowed (region opt-in is the common cause)."""
     p = MagicMock(spec=AWSProvider)
     p.regions = ["us-east-1"]
     p.client.side_effect = RuntimeError("boom")

{cloud_audit-2.2.0 → cloud_audit-2.2.1}/tests/aws/threat_feed/test_trufflehog_ua.py

@@ -136,3 +136,21 @@ def test_pattern_metadata_exposed() -> None:
     assert trufflehog_ua.PATTERN_ID == "TF-004-trufflehog-ua-cloudtrail"
     assert trufflehog_ua.CHECK_ID == "aws-tf-004"
     assert trufflehog_ua.PATTERN_SEVERITY == Severity.CRITICAL
+
+
+def test_cloudgrappler_ua_not_flagged() -> None:
+    """v2.2.1: defensive tools (Permiso CloudGrappler) must NOT be flagged.
+
+    Their UA appearing in CloudTrail means a defender is running them
+    against the account, not that the account is under attack.
+    """
+    ct = _ct_with_events(events=[_event("cloudgrappler/1.0")])
+    result = trufflehog_ua.detect(_provider(ct))
+    assert result.findings == []
+
+
+def test_detention_dodger_ua_not_flagged() -> None:
+    """v2.2.1: defensive tools (Permiso DetentionDodger) must NOT be flagged."""
+    ct = _ct_with_events(events=[_event("detention-dodger/1.0")])
+    result = trufflehog_ua.detect(_provider(ct))
+    assert result.findings == []